Link Search Menu Expand Document

Logging Template

Use this template to configure local and remote logging parameters. Each requires that you specify the minimum severity level of event to log.

WARNING: Appliance logging levels should only be set to “Notice” unless TAC asks you to set it differently. This applies to both the Minimum severity level field in the Log Configuration area of this template and the Minimum Severity field in the Remote Log Receivers area. Be aware that setting this level to “Debug” will generate logs for all modules that are turned on, which causes the packet processing engine to spend excessive time logging instead of forwarding packets.

  • Set up local logging in the Log Configuration and Log Facilities Configuration sections.

    • Click the Anonymize IPs check box to enable anonymizing IP addresses in log messages. If enabled, select an option from the Bit Masking drop-down menu to indicate how IP addresses have bit masking applied in log messages.

    • Click the Jsonify check box to convert firewall policy and IDS/IPS log messages to JSON when exported.

    • Uniquely assign log facilities for System, Audit, Firewall, and IDS/IPS Events; they cannot overlap. For example, System can be assigned to local2 and Audit to local3, but both cannot be assigned to local2.

  • Set up remote logging by using the Remote Log Receivers section.

For detailed information on logging, see Logging Tab

Minimum Severity Levels

In decreasing order of severity, the levels are as follows. See the WARNING note above.

Severity Level Description
EMERGENCY System is unusable.
ALERT Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and WARNING.
CRITICAL Critical event.
ERROR An error. This is a non-urgent failure.
WARNING A warning condition. Indicates an error will occur if action is not taken.
NOTICE A normal, but significant, condition. No immediate action required.
INFO Informational. Used by Support for debugging.
DEBUG Used by Support for debugging.
NONE If you select NONE, no events are logged.

  • If NOTICE is selected (the default setting), the log records any event with a severity level of NOTICE, WARNING, ERROR, CRITICAL, ALERT, and EMERGENCY.

  • These are related to event logging levels, not alarm severities, even though some naming conventions overlap. Events and alarms have different sources. Alarms, after they clear, list as the ALERT level in the Event Log.

  • In the Log Facilities Configuration section, assign each message/event type (System / Audit / Firewall / IDS/IPS) to a syslog facility level (local0 to local7).

Configure Remote Logging

You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog server.

A syslog server is independently configured for the minimum severity level that it will accept. Without reconfiguring, it might not accept as low a severity level as you are forwarding to it.

To configure remote logging:

  1. Under Remote Log Receivers, click Add.

  2. For each remote syslog server that you add to receive the events, complete the following fields with the appropriate information.

    Field Description
    Host Name Host’s IP address.
    Port Port number of the remote syslog server. Valid values range from 2 through 65535.
    Protocol Select the protocol you want to apply: UDP, TCP, or TCP SSL.
    Minimum Severity Select the minimum severity level of messages you want to log (see the WARNING message above): None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.
    Facility Select all, local1, local2, local3, local4, local5, local6, or local7.
    Client Certificate If you selected TCP SSL protocol, do one of the following:

    Complete the instructions below for adding a client certificate using an orchestrated appliance end entity profile. This is the recommended method.

    Complete the instructions below for adding a client certificate using the legacy method of uploading a certificate and key files.

    Click View to view the client certificate.

    Click Don’t Apply if you do not want to apply a client certificate.
    Verify Click this cell to display a check box, and then select it to verify the server certificate.

Add a Client Certificate

You can add a client certificate in two ways. The recommended method is to use an orchestrated appliance end entity profile. The legacy method is to upload a certificate and key files.

To add a client certificate using an appliance end entity profile:

  1. In the Client Certificate column, click Add.

    The Add Remote Receiver SSL Certificate dialog box opens.

  2. Click Use End Entity Certificate.

  3. Select the end entity certificate profile from the menu.

  4. Click Add.

To add a client certificate using the legacy method of uploading a certificate and key files:

  1. In the Client Certificate column, click Add.

    The Add Remote Receiver SSL Certificate dialog box opens.

  2. Click Upload Certificate.

  3. Complete the following fields.

    Field Description
    PFX Certificate File To use a PFX certificate file, select this check box.
    Certificate File Click Choose File. Locate and select the certificate file, and then click Open.
    Private Key File Click Choose File. Locate and select the private key file, and then click Open. If you selected PFX Certificate File, this field is disabled.
    Import Password Enter the import password for the certificate.
    Passphrase Enter the passphrase for the certificate.

  4. Click Add.